## https://sploitus.com/exploit?id=6C1CC87F-11CC-5F70-8422-4F1B8DD19CE6
# CVE-2017-12615 - Apache Tomcat Remote Code Execution (RCE)
**CVE-2017-12615** is a Remote Code Execution (RCE) vulnerability affecting **Apache Tomcat 7.0.0 through 7.0.79** running on **Microsoft Windows** when HTTP **PUT** requests are enabled.
The vulnerability exists because Tomcat incorrectly handles uploaded JSP files when the **DefaultServlet** is configured with the `readonly` parameter set to `false`. Under these conditions, an unauthenticated attacker can upload a malicious JSP file directly to the web server and execute arbitrary Java code simply by requesting the uploaded file.
This vulnerability became one of the most well-known Tomcat RCE issues due to how easy it was to weaponize against misconfigured servers.
---
## Affected Versions
- Apache Tomcat **7.0.0 - 7.0.79**
- Microsoft Windows installations
- HTTP PUT method enabled
- `readonly="false"` configured on the DefaultServlet
---
## Severity
| Metric | Value |
|--------|-------|
| CVE | CVE-2017-12615 |
| CVSS v3 | 8.1 (High) |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Impact | Remote Code Execution |
---
## Root Cause
Normally, Apache Tomcat prevents users from uploading executable JSP files.
However, when:
- HTTP PUT requests are enabled
- The DefaultServlet is writable (`readonly=false`)
- Tomcat is running on Windows
an attacker can upload a JSP file directly into the web root.
Once uploaded, requesting that JSP causes Tomcat to compile and execute it, allowing arbitrary Java code execution under the privileges of the Tomcat service.
---
## Attack Flow
```text
Attacker
โ
โ HTTP PUT
โผ
Uploads malicious JSP shell
โ
โผ
Tomcat stores file
โ
โ HTTP GET
โผ
Requests uploaded JSP
โ
โผ
Tomcat compiles JSP
โ
โผ
Java code executes
โ
โผ
Remote Code Execution
```
---
## Exploitation Process
A typical attack follows these steps:
1. Identify a vulnerable Tomcat instance.
2. Verify that HTTP PUT requests are allowed.
3. Upload a malicious `.jsp` web shell.
4. Request the uploaded JSP.
5. Execute arbitrary system commands.
6. Establish a reverse shell or deploy additional payloads.
No authentication is required if the server is vulnerable.
---
## Example Request
Example HTTP PUT request:
```http
PUT /shell.jsp HTTP/1.1
Host: victim.com
Content-Type: application/octet-stream
```
If successful, the server responds with:
```http
HTTP/1.1 201 Created
```
The payload can then be executed by visiting:
```
http://victim.com/shell.jsp?cmd=whoami
```
---
## Example Detection
A simple way to identify vulnerable systems is to attempt uploading a harmless test JSP:
```http
PUT /test.jsp
```
Possible responses include:
```
201 Created
```
or
```
204 No Content
```
If the uploaded file can subsequently be retrieved over HTTP, the server is likely vulnerable.
---
## Impact
Successful exploitation allows an attacker to:
- Execute arbitrary operating system commands
- Upload persistent web shells
- Obtain reverse shells
- Deploy malware or ransomware
- Steal sensitive information
- Pivot deeper into internal networks
- Fully compromise the affected Tomcat server
---
## Indicators of Compromise
Security teams should investigate for:
- Unexpected HTTP PUT requests
- Newly created `.jsp` files
- Unknown web shells
- Suspicious child processes spawned by Tomcat
- Reverse shell network connections
- Unusual activity within the Tomcat web root
---
## Mitigation
Recommended mitigations include:
- Upgrade Apache Tomcat to a patched release.
- Disable HTTP PUT unless absolutely required.
- Ensure the DefaultServlet uses `readonly="true"`.
- Restrict upload permissions.
- Monitor for unexpected JSP file creation.
- Deploy a Web Application Firewall (WAF).
- Regularly review Tomcat access logs for suspicious PUT requests.
---
## Technical Summary
| Property | Value |
|----------|-------|
| Vulnerability | Arbitrary JSP Upload |
| CWE | CWE-434 - Unrestricted Upload of File with Dangerous Type |
| Authentication Required | No |
| Exploit Complexity | Low on vulnerable configurations |
| Result | Remote Code Execution |
| Platform | Windows |
| Service | Apache Tomcat |
---
## References
- NIST National Vulnerability Database (NVD)
- Apache Tomcat Security Advisories
- CVE Record: CVE-2017-12615
---
## Disclaimer
This repository is intended solely for educational purposes, defensive security research, and authorized penetration testing. Do not use this information against systems without explicit permission.